Bug 1426445: Add sanity check that worker uid/gid is 1000 in run-task; r=dustin,gps

MozReview-Commit-ID: 7T7rQpLhJIN --HG-- extra : rebase_source : 950b111946ef3248aedb825d280754954b8f54ad
2024-10-09 11:25:00 +00:00 · 2018-01-02 14:22:36 -07:00 · 2018-01-02 14:22:36 -07:00 · 13f8033d55
commit 13f8033d55
parent 1438296c97
5 changed files with 14 additions and 7 deletions
--- a/taskcluster/docker/debian-base/Dockerfile
+++ b/taskcluster/docker/debian-base/Dockerfile
@ -5,8 +5,8 @@ MAINTAINER Mike Hommey <mhommey@mozilla.com>

 ### Add worker user and setup its workspace.
 RUN mkdir /builds && \
-    groupadd -g 500 worker && \
-    useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker && \
+    groupadd -g 1000 worker && \
+    useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker && \
    mkdir -p /builds/worker/workspace && \
    chown -R worker:worker /builds

--- a/taskcluster/docker/google-play-strings/Dockerfile
+++ b/taskcluster/docker/google-play-strings/Dockerfile
@ -2,8 +2,8 @@ FROM          ubuntu:16.04
 MAINTAINER    Johan Lorenzo <jlorenzo+tc@mozilla.com>

 RUN mkdir /builds
-RUN groupadd -g 500 worker
-RUN useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker
+RUN groupadd -g 1000 worker
+RUN useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker

 RUN apt-get update
 RUN apt-get install --yes git python3-setuptools build-essential libssl-dev libffi-dev python3-dev
--- a/taskcluster/docker/recipes/run-task
+++ b/taskcluster/docker/recipes/run-task
@ -289,6 +289,13 @@ def main(args):
                  args.group)
            return 1

+        if user.pw_name == 'worker' and user.pw_uid != 1000:
+            print('user `worker` must have uid=1000.')
+            return 1
+        if group.gr_name == 'worker' and group.gr_gid != 1000:
+            print('group `worker` must have gid=1000.')
+            return 1
+
        # Find all groups to which this user is a member.
        gids = [g.gr_gid for g in grp.getgrall() if args.group in g.gr_mem]

--- a/taskcluster/docker/update-verify/Dockerfile
+++ b/taskcluster/docker/update-verify/Dockerfile
@ -10,8 +10,8 @@ RUN dpkg --add-architecture i386 && apt-get -q update \
    && apt-get clean

 RUN mkdir /builds
-RUN groupadd -g 500 worker
-RUN useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker
+RUN groupadd -g 1000 worker
+RUN useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker
 WORKDIR /builds/worker

 VOLUME /builds/worker/.cache
--- a/taskcluster/taskgraph/transforms/task.py
+++ b/taskcluster/taskgraph/transforms/task.py
@ -875,7 +875,7 @@ def build_docker_worker_payload(config, task, task_def):
        # string literal in the variable below can be changed. This is
        # preferred to changing run-task because it doesn't require images
        # to be rebuilt.
-        cache_version = 'v2'
+        cache_version = 'v3'

        if run_task:
            suffix = '-%s-%s' % (cache_version, _run_task_suffix())